Customer communication

To ensure that we have all the necessary information at the start of each pentest, we usually request (where appropriate) a short introduction to the application or infrastructure in advance or at the beginning of the tests. Furthermore, shortly after the halfway point of the testing period, we typically arrange a meeting where we can present interim results and ask any follow-up questions.

This creates transparency regarding our activities, provides us with important insights into internal processes and business risks, and puts the vulnerabilities we find into the proper context.

Our preferred and recommended means of communication is the Signal Messenger. Alternatively, we use email (optionally with S/MIME encryption), our self-hosted NextCloud Talk, Microsoft Teams, or are happy to use other communication channels that our clients have licensed and in use (e.g., Zoom, Google Meet, etc.).

We strive to report only vulnerabilities that pose an actual risk. In some cases, however, it is difficult or impossible for us to assess the business risk of a vulnerability. This is particularly the case with complex transactions or with processes into which we have no insight (such as internal company approval processes).

In these instances, we consult with our clients while the pentest is still ongoing. If doubts cannot be resolved, we generally document the potential vulnerabilities and state that the actual impact of the vulnerability remains unclear to us.